Live Stream VOD: Analyzing Jupyter / Solarmarker InfoStealer Delivery Chain (Patreon)

In this Twitch stream we analyze the multi-stage delivery chain used to install Jupyter / Solarmarker InfoStealer. The delivery chain includes an Inno Installer, malicious Pascal script, malicious PowerShell script, and a reflectively loaded .NET assembly.

Stage 1 - Unpacking Inno (Pascal)

• Use Inno Extractor to extract all files from the Inno installer
• Use Inno Setup Decompiler to decompile the extracted CompiledCode.bin file
• Use DirWatch to monitor %temp% directory with "auto save" option eabled
• Grab the two .txt PowerShell files that were dropped in %temp% -- these are Stage 2
  

Stage 2 - PowerShell Deobfuscation

Instead of attempting to maually decode the PowerShell we can take advantage of the fact that it relfectivly loads a .NET assembly to simply dump the assembly out of the process.

• Run the malware and watch the process tree with ProcessHacker.
• When the PowerShell process executes suspend it (there are 9, just grab the one that stays running)
• Use ExtreamDumper to dump the .NET assembly out of the PowerShell process
  

Samples

Packed sample: ee904ce81c66b774897f93b0301e297a9137295516d57ba1c4e078a383cbce39

The sample is too large to upload to Malshare directly so an encrypted zip with the password infected was uploaded instead. The sample can be downloaded from Malshare HERE.

Lab-Notes: GitHub - JupyterStealer